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Abstract 

This is a report on our research into anti-theft technologies uti- 
lized in the PC BIOS. In particular, we have analyzed the Computrace 
BIOS agent and documented some design vulnerabilities that allow the 
agents reporting address to be controlled. Additionally, we outline an 
experimental method for re-setting the permanent activation/deacti- 
vation capability of the persistent agent in the BIOS to the default 
factory settings. We are certain that this available control of the anti- 
theft agent allows a highly dangerous form of BIOS-enhanced rootkit 
that can bypass all chipset or installation restrictions and reutilize 
many existing features offered in this kind of software. 



1 Introduction 

Computer-based anti-theft technologies are used to prevent or deter the 
unauthorized appropriation of a physical system. 

Embedded into the BIOS of most notebooks sold since 2005, when anti- 
theft technology vendors Phoenix[ ] and Absolute [1] reached a licensing 
agreement [ ] they are extremely popular today. According to the vendors 
own corporate fact sheet [1], Phoenix is the dominant leader in the market 
for portable BIOS, with 60% of all sales , and BIOS offers a high level of 
persistence, making it the ideal place for anti-theft technologies to reside. 

The system works by periodically reporting back to a central authority. 
In the event of theft, the central authority can instruct the resident agent to 
wipe all information as a security measure, or to track the whereabouts of 
the system, to help recover the stolen items via subsequent law enforcement 
activities 1 . In order to be an effective system, the anti-theft agent must be 
stealthy, must have complete control of the system, and most importantly, 
must be highly persistent because wiping of the whole system most often 
occurs in the case of theft. 

This activity is also consistent with rootkit behavior, the only difference 
being that rootkits are generally malicious, while anti-theft technologies act 
as a form of protection against thieves. 

However, in the course of researching matters of BIOS security we found 
that a lack of strong authentication in the most popular anti-theft tech- 
nologies are the source of vulnerabilities that can lead to a complete and 
persistent compromise of an affected system, as we will explain in the rest 
of this article. 

2 Computrace Agent 

While doing the research that resulted in the publication of the 'Persistent 
BIOS Infection' article at the CanSecWest and Syscan Conference in early 
2009, the Computrace persistent Agent was found in multiple notebook 
BIOS systems. Upon further investigation, a complete description of the 
agent was found on the United States Patent Application US 2006/0272020 
Al. This information is in the public domain, and many complaints about 



1 from Absolute site: "Absolute has partnerships with tier one PC OEMs such as Dell, 
Fujitsu, Gateway, HP, Lenovo, Motion Computing, Panasonic and Toshiba. Embedded 
in the BIOS firmware of a computer, the Computrace Agent can survive operating system 
re-installations, hard drive reformats and even hard drive replacements. The company 
has reselling partnerships that extend beyond this list of OEMs that include global leaders 
such as Apple and Toshiba. Absolute has also established strategic relationships with more 
than 1000 police departments, government security agencies and private security firms 
throughout North America and around the world. " 



the involved technology have been posted online, some even with valid in- 
structions for erasing Computrace completely from the BIOS [ ]. 

The Agent in question is a PCI Option ROM embedded version found 
on most notebook BIOS, and some Desktop BIOS systems as well. The 
Optional ROM is deactivated by default as the PCI device that it refers 
to (1917:1234) doesn't exist. Upon activation, it modifies the underlying 
Windows file system directly from the BIOS?, installing a new service and 
modifying various core system files like the registry, and self-healing mech- 
anisms including Autochk.exe. 

The Computrace anti-theft system also has the capability to read Bit- 
locked file systems on Windows Vista. 

The BIOS Agent supports Windows 98/XP and Vista, with either FAT32 
or NTFS file systems. We studied many versions of the Computrace Agent, 
including V80.845 and V80.866. Once installed and with Windows fully 
booted, the agent runs as a Windows service and proceeds to contact a 
remote system and wait for orders. This process can consist in the down- 
loading of additional software or reporting of various run-time parameters. 

2.1 BIOS code 

The following hexadecimal dump details the Computrace PCI Option ROM 
header found inside the BIOS of a HP 9420 notebook computer. The Option 
ROM is deactivated because it correspond to the PCI Device 1917:1234, 
inexistent on the system. 



Interestingly, Computrace uses the UPX packing software, version 1.00, 
you can see the UPX! signature near offset 0x200: 



2.2 Detail of agent operation 

When installed, the deployed agent registers itself as a normal windows ser- 
vice using the name "Remote Procedure Call (RPC) Net". This name, with 
slight variations, is also used by Windows to refer other legitimate services 
as "Remote Procedure Call (RPC)" (Used to provide the endpoint map- 
per and other RPC Services) and "Remote Procedure Call (RPC) Locator" 
(In charge of managing the RPC name service database). In this way, the 
registered service could be easily confused with these legitimate Windows 
services, except for its lack of a description. The service is implemented on 
the rpcnet.exe or rpcnetp.exe file. 

2 The Agent has small but functional file system drivers 



3 Report URL redirection. Who is the thief? 

The persistent agent uses a configuration method consisting in a 512-byte 
block of data. This block contains configuration items like IP, port and URL 
of report, as well as expiration date and AT commands (The agent also has 
modem reporting capabilities). The block can reside in many places. It's 
hard-coded inside the Option-ROM, with the 'search.namequery.com' URL 
and IP used as the default reporting point, as we show in section3.1. 

However, on the first run this configuration block is copied in many 
places, including the registry and hard-disk inter-partition space. Allowing 
the agent in this way to survive hard disk formats. Again, the obfusca- 
tion method used in this configuration block is a XOR operation, this time 
against the 8-bit key 0xB5. The block is obfuscated on a slightly more con- 
voluted way on the registry. But the encryption algorithm is similar, making 
the modification trivial. 

We are presenting a method to search and modify this configuration 
block, pointing the IP and URL to a malicious site, where un-authenticated 
payloads can be directed to the involved notebook. Modification of the block 
in the inter-partition space allows for a format-resistant malicious agent. 
On unsigned BlOSes, direct Option ROM modification of the configuration 
block allows for a very persistent and dangerous form of rootkit, taking in 
account that anti- virus software will ignore the agent, recognizing it as the 
normal Computrace agent, as no modification to the Agent itself is being 
made. 

3.1 Configuration block 

Below is the configuration block used by the Computrace agent V80.866, it 
was extracted from the Option ROM with the UPX utility. The Configura- 
tion block starts at offset 0x3c38: 



Doing a 8-bit XOR with 0xB5, we can see the plain-text configuration: 



With the port clearly visible at offset 0x32, IP at offset 0x35 and URL 
at 0x39. The communication is made via plain HTTP connections, using 
wininet.dll exported functions. 

This is the hard-coded block located on BIOS. When installed, the agent 
copies this block to the registry keys: 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rpcnet\Parameters 
or 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rpcnet\Parameters 

subkey Security, depending if the Persistent (BIOS) agent is used or not. 

Unpacked, the configuration block is easily modifiable. By simply chang- 
ing the URL or IP, we can redirect the agent queries to our site. This is very 
easy to accomplish in the registry, but we don't have persistence for merely 
modifying the registry. To modify the configuration of the persistent agent 
we need to modify and reflash the BIOS. This is possible in many systems 
at the date of publication for this article, as unsigned BIOS are common. 

4 Computrace Agent stub: Bios code execution 

As we said on section 2, we found many incarnations of the persistent agent. 

One particular example , found on notebooks like Dell Vostro 1510, is 
the Computrace V 70.785 agent (this number may change with the BIOS 
version). This agent doesn't contain any code except for a small stub used to 
load additional code from a sector on the hard disk located outside normal 
partitions. This is also documented on the public patent application US 
2006/027220 Al. 

The code on the hard-disk contains a small header that indicates the 
stub where to load the code in the memory, and carry out a CRC-16 check. 
We found the lack of code authentication in this particular case provides an 
easy way to build a BIOS- rootkit attack, as an unauthorized privileged user 
could put code on hard disk that will be executing directly on the BIOS. 

5 Factory-reset of permanent activation/deactiva- 
tion 

On some notebooks models like the Dell Inspiron series, the persistent agent 
can be permanently activated or deactivated with an option on the BIOS 
setup utility. This is accomplished using SMBIOS Tokens, number 0x175 



and 0x176 for activation and deactivation respectively, and the configuration 
data is stored in NVRAM instead of CMOS. 

We will show a method to reset the NVRAM via a malfunction of the 
SMBIOS, producing a race-condition with the Dell Client Configuration 
Utility (DCCU), therefore resetting the persistent agent activation status 
to factory defaults. This allows for an all-software activation-deactivation 
method, demonstrating that no permanent activation or deactivation can 
be achieved. Please refer to Section 9 for instructions on how to reproduce 
this failure in Dell Inspiron 1525 models. 

6 Further information 

There are other anti-theft technologies today that contains a BIOS-component, 
like Phoenix Failsafe and Intel Anti-theft technology [ ], but no research has 
been conducted on those systems so far by CoreLabs. 

7 Conclusion 

At this time, we found three major problems with common Absolute-Computrace 
Implementations: 

1. Lack of authentication of configuration options, leading to report redi- 
rection. 

2. Lack of authentication of code in stub agent, leading to bios code 
execution. 

3. On at least one specific setup, activation/deactivation of the Compu- 
trace Agent can be reverted to factory defaults. 

For issues 1 and 2 a digital signature scheme would fix the issues. We 
don't have any recommendation for the issue number 3 at this moment. 
Furthermore, there are couple of issues that at the time of this report we 
can't confirm: 

4 Unauthenticated code download from the Agent once activated. 

5 Unauthenticated BIOS agent activation. 

Issues 1, 4 and 5 combined would allow for an extremely dangerous BIOS- 
assisted rootkit software attack to be deployed on the majority of notebooks 
today. 

Issue 2 is dangerous by itself, providing a simple and reliable method 
to execute any code in the context of the BIOS, once the Option- ROM is 
activated. 
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9 DCCU settings 

You can use the following XML file as TaskResult.xml, loading it via the 
DCCU web interface. The version used is DCCU 3.0.1213. Loading into 
DCCU and applying the settings to the BIOS will cause the malfunction 
that will reset the NVRAM. 
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